Something Phishy Going On

by Rob Zorn
from the August 2004 Newsletter

Phishing is one of the latest scams plaguing the Internet. Examples of variations on the scam have been appearing periodically in the news over the last few months. If you haven't yet had someone trying to phish for your personal details, then it's probably only a matter of time.

Phishing is usually attempted by e-mail. A messages comes to you masquerading as an e-mail from your bank or from some other organisation that uses usernames and passwords for online security, such as Ebay or Paypal. The e-mail tells you some lies about how you need to click a link to go to a site where you can enter your personal details in order to help them maintain security or whatever. Of course, you are sent to a site that only pretends to be legitimate, even though it may look very real. Your user and password details are captured by software at the site, and the thieves then have access to your account.

Phishing e-mails prey upon people's fears about online security. It attempts to trick them into the very thing they fear. The irony would be amusing if the matter weren't so serious. In this article I want to look at three phishing e-mails I have personally received in the last month. I want to look at what they are trying to get me to do, what they have in common, and how to tell that they're not the real thing. You can click here to visit a page that has a copy of each of the phishing e-mails I've recently received. The example page will open up in a new window so you can flick back and forth for comparison if you like.

The first e-mail pretends to come from eBay, the popular online auction site. I do have an eBay account and I use it quite regularly. However, whoever set me this e-mail doesn't know that for certain. They've sent this e-mail to millions of people they've gotten from a spam list. They know that people who don't have eBay accounts will probably ignore or delete the e-mail. They hope some of those who do have eBay accounts will believe them.

This e-mail tells me that someone has been using my account to make fake bids. I have to speed up their investigation by following a link to a page where I can update my account details. This piece of phish is trying to alarm me so that I will act quickly without thinking too much. It sounds plausible that they would want me to log in and change my password. If I followed the link, no doubt there'd be a place for me to enter my current user name and password and a place for me to supposedly enter a new password. Of course the update password feature would be fake. The phishing thieves would only be interested in capturing whatever I put into the current user name and password fields. There could also be some malicious software lurking at that site hoping to play havoc with my system if I'm foolish enough to be surfing the net with software that I haven't updated for months (see article: The Windows Update Page).

The senders of this e-mail have made some effort to capture an eBay look and feel. They've stolen the eBay logo and talk about Safeharbor, which is an eBay feature. They've even put a copyright smallprint at the base of the logo which is the sort of thing you might expect from a big important online firm.

However, there are a number of indications that the e-mail is false. Firstly, it is full of spelling, grammar and punctuation errors. I've marked these in red on the examples page. The writing style is also clumsy and not at all what you'd expect from a company that turns over hundreds of millions of dollars every year, and which can easily afford to hire professional writers.

Secondly, the e-mail does not address me by name or mention my eBay user name. If this really did come to me from eBay, they would have my contact details, including my personal name, in their database.

Thirdly, the link appearing on the page does not match the link in the e-mail's code. The link in the e-mail appears to be http://scgi.ebay.com/verify_id=ebay&user=00626654. This looks like a link to a subdomain (scgi) on the eBay site (ebay.com). This would appear to be a legitimate link. However, when I mouse over the link and look at the bottom of my e-mail program where the real link pops up for display, I find the site linked to is actually http://ebay.scgi-verify.com/verify_id-00626654.htm. These links look similar. The phishers are hoping that I won't notice the difference. However, I do notice that the actual link is not to a subdomain of the eBay URL. Instead it is to a subdomain named ebay of a website actually called scgi-verify.com. If I've confused you here, the only important thing to note is that the link appears to be a genuine link to eBay. In fact it links to some other site not related to eBay at all, and therefore not to be trusted.

The most obvious sign that the e-mail is fake is that firms like eBay, as well as banks, will never send you an e-mail asking for your password. It's part of their policy which they've put in place for the very reason of helping customers guard against this sort of thing. If you know your bank or online company will never e-mail you asking for your password, then you know that any attempt to do so is necessarily fraudulent.

The second e-mail purports to come from Westpac Bank New Zealand. Again, the phishers have sent this millions of New Zealand e-mail addresses. Non Westpac customers will ignore or delete the e-mail. Westpac customers might be fooled, not realising that the e-mail has been so widely sent out. This e-mail asks me to go to a link and enter my banking user name and password in order to help "Westpac" with a "period review of member accounts," whatever that means. It is a pretty pathetic attempt. They don't even bother to forge the look and feel of Westpac Bank and the language is again rather clumsy. Of course the link does not go to the Westpac Trust site at all. It goes to a site (now removed) that no doubt resembles the Westpac log in page, but which is designed to capture my user number and password for later criminal use. 

So, the same basic signals of fakeness apply. Poor language, I'm not greeted by name or number, and the link given does not match the link in the code. The link in the code does not go to the Westpac site.

The last example e-mail purports to come from PayPal. I do have a PayPal account which I use for overseas purchases, but again, the phishers don't know that. Again, they've sent this e-mail to millions of people. This time they have made a good attempt at capturing the look and feel of PayPal, by copying the PayPal logo and colour scheme.

This one attempts to get me to hand over my PayPal log in details as part of "routine efforts at security maintenance." The language, however, especially in the second sentence, was not produced by any commercial writer worth his or her salt, and the disclaimer at the bottom abruptly ends mid sentence. Again, all the common telltale phishing signs are there.

So what should you do if you receive a phishing attempt? There's probably not a whole lot you can do. You could report the e-mail to your bank or to the online company being imitated, but they probably already know. Jon Peacock from our Internal Affairs Department has assured me that they're certainly aware of these attempts at fraud, and will work to catch the offenders wherever they can. Of course they are hampered by the fact that most operate from overseas and are very adept at hiding themselves.

You don't need to worry that you might be being specifically targeted. Millions of these e-mails are sent out and the senders almost certainly don't know anything specific about you. The e-mail itself is probably not all that dangerous either, as long as you don't follow their advice or instructions. In most cases I wouldn't recommend visiting the sites they direct you to, even out of curiosity. While it is true that you're probably safe as long as you don't put your sensitive data into their online form, you still never know what sort of malicious software might be lurking at the site hoping to take advantage of any browser vulnerabilities you might suffer from. Again, this probably won't be an issue if you have all the latest patches installed, but it is better to be safe than sorry. 

You're best off just to delete the e-mail and not lose a lot of sleep over it.